Frequently Asked Questions

Find answers to the most common questions about PreBreach below. If your question is not covered here, reach out to our support team at support@prebreach.com.

---

Scanning

How long does a scan take?

A typical scan takes 30 to 60 minutes depending on the size and complexity of your application. Larger applications with many subdomains, pages, and API endpoints will take longer. The scan runs through five phases — reconnaissance, active scanning, AI analysis, validation, and report generation — each of which contributes to the total duration.

You can monitor progress in real time from the scan detail page in your dashboard. You will also receive a notification when the scan is complete.

What do you scan for?

PreBreach scans for vulnerabilities across the OWASP Top 10 and beyond, with a particular focus on issues common in modern web stacks. This includes:

• Injection flaws — SQL injection, NoSQL injection, command injection, and template injection.
• Broken authentication — Weak session management, exposed JWT secrets, missing MFA enforcement.
• Sensitive data exposure — Unprotected API keys, leaked credentials, exposed environment variables.
• Security misconfigurations — Default credentials, open admin panels, overly permissive CORS policies, misconfigured headers.
• Broken access control — IDOR vulnerabilities, privilege escalation paths, missing authorization checks.
• Server-side request forgery (SSRF) — Internal network probing through vulnerable server-side requests.
• Cross-site scripting (XSS) — Reflected, stored, and DOM-based XSS vectors.
• Insecure dependencies — Known CVEs in client-side and server-side libraries.

Our 24 custom scanning templates are specifically tuned for Next.js, Supabase, Firebase, Vercel, and other modern frameworks.

Is it safe to scan my production application?

Yes. PreBreach is designed to be non-destructive. All probes are read-only — the scanner does not modify data, submit forms with destructive payloads, or attempt to exploit vulnerabilities in a way that could disrupt your service.

The scanning approach is comparable to what an automated security auditor would do: it sends carefully crafted requests, observes responses, and analyzes behavior without altering state. That said, as with any security tool, we recommend running your first scan against a staging environment if you want to observe the traffic patterns before scanning production.

Can I scan any website?

No. You can only scan websites that you own or have explicit authorization to test. PreBreach enforces this through mandatory DNS verification — you must add a specific TXT record to the domain's DNS configuration to prove administrative control before any scan can be initiated.

Attempting to scan domains you do not control violates our terms of service and may also violate applicable laws.

What frameworks and stacks are supported?

PreBreach works with any publicly accessible web application, but it provides enhanced coverage for modern stacks through 24 purpose-built scanning templates:

• Frontend frameworks — Next.js, React, Vue, Svelte, Angular, Astro, Nuxt.
• Backend platforms — Node.js, Express, Django, Rails, FastAPI, Laravel.
• Cloud and hosting — Vercel, Netlify, AWS, Google Cloud, Firebase Hosting.
• Backend-as-a-Service — Supabase, Firebase, Appwrite, Convex.
• CMS platforms — WordPress, Strapi, Sanity, Contentful.

Even if your stack is not listed, the general scanning pipeline covers all standard web vulnerabilities. The specialized templates simply improve detection accuracy for framework-specific issues.

---

Results and Reports

What if I find critical vulnerabilities?

If your scan reveals critical or high-severity findings, we recommend the following:

1. Review the report carefully — Each finding includes a severity score (CVSS v4.0), a description of the vulnerability, proof-of-concept evidence, and specific remediation guidance.
2. Prioritize by severity — Address Critical and High findings first, as these represent the most immediate risk.
3. Apply the recommended fixes — The report provides actionable remediation steps tailored to your technology stack.
4. Re-scan to verify — After applying fixes, run another scan to confirm the vulnerabilities have been resolved.

For critical vulnerabilities that require immediate attention, PreBreach highlights them prominently in the report summary and in dashboard notifications.

What is the false positive rate?

PreBreach achieves a false positive rate of less than 5% through multi-model AI validation. Here is how:

1. Tool-level scanning identifies potential vulnerabilities using industry-standard tools.
2. Claude Opus (primary AI) analyzes raw findings, applies context, and filters out noise.
3. GPT (validation AI) independently reviews the same findings as a second opinion.
4. Consensus scoring — Only findings confirmed by both models are included in the final report with high confidence.

This multi-agent approach significantly reduces false positives compared to traditional automated scanners, which commonly produce false positive rates of 20-40%.

Do you store my data?

PreBreach stores your scan reports for the retention period defined by your plan:

PreBreach does not access, download, or store your application source code. The scanner interacts with your application the same way a browser or API client would — through HTTP requests to publicly accessible endpoints.

Scan data and reports are encrypted at rest and in transit. When a report exceeds its retention period, it is permanently deleted from our systems.

How is PreBreach different from OWASP ZAP or Burp Suite?

PreBreach complements traditional tools like OWASP ZAP and Burp Suite rather than replacing them entirely. The key differences are:

PreBreach is ideal for teams that want professional-grade security assessments without the overhead of configuring and maintaining traditional pentesting tools.

---

Domains and Verification

How does DNS verification work?

When you add a domain to PreBreach, the platform generates a unique TXT record value. You add this record to your domain's DNS configuration through your DNS provider (such as Cloudflare, Namecheap, or your registrar's DNS panel). PreBreach then queries your DNS records to confirm the TXT record is present.

The verification process typically looks like this:

1. Add your domain in the PreBreach dashboard.
2. Copy the provided TXT record (e.g., prebreach-verify=abc123def456).
3. Add the TXT record to your domain's DNS settings.
4. Click Verify in the dashboard. PreBreach checks for the record.
5. Once confirmed, your domain status changes to Verified and scanning is enabled.

DNS propagation can take up to 48 hours, though most providers propagate within minutes. For a detailed walkthrough, see DNS Verification.

---

Billing and Account

Can I cancel my subscription at any time?

Yes. There are no long-term contracts or cancellation fees. You can cancel from Settings > Billing at any time. When you cancel:

• Your plan remains active until the end of the current billing period.
• Unused credits remain available until the period ends.
• Reports are accessible until their retention period expires.
• After the billing period ends, your account reverts to a limited read-only state.

What payment methods do you accept?

PreBreach accepts all major credit and debit cards (Visa, Mastercard, American Express, Discover) through our payment processor, DodoPayments. All transactions are encrypted and processed securely.

How does annual billing work?

Annual billing gives you a 17% discount compared to monthly pricing. You pay for 12 months upfront, and your credits renew monthly throughout the year just like they would on a monthly plan. You can switch between monthly and annual billing at any time from your account settings.

Can I upgrade or downgrade my plan?

Yes. You can change your plan at any time from Settings > Billing.

• Upgrades take effect immediately. The price difference is prorated for the current billing cycle, and your new credit allocation and features are available right away.
• Downgrades take effect at the start of your next billing cycle. If your current domain count exceeds the new plan's limit, you will need to remove domains before the downgrade processes.

Unused credits always carry over when changing plans.

What happens to my data if I cancel?

When you cancel your subscription:

• Your account remains active until the end of the current billing period.
• After the period ends, your account enters a read-only state. You can still log in and view reports that are within their retention window.
• Reports are permanently deleted once their retention period expires (90 days for Starter, 1 year for Pro and Agency).
• Domain registrations and verification records are removed 30 days after your subscription ends.

If you resubscribe later, you will need to re-add and re-verify your domains.

Do you offer refunds?

If you are unsatisfied with PreBreach, contact support@prebreach.com within 14 days of your initial subscription purchase. We handle refund requests on a case-by-case basis. Extra credit purchases are non-refundable once a credit has been consumed.

Is there an API?

Not yet. A REST API for programmatic scan management, report retrieval, and CI/CD integration is on our roadmap. If API access is important to your workflow, let us know at feedback@prebreach.com so we can prioritize accordingly.

Can I white-label reports for my clients?

White-label report customization is planned for a future release of the Agency plan. Currently, all reports carry PreBreach branding. If this feature is important to you, reach out to feedback@prebreach.com.

---

Getting Help

If your question was not answered here, contact us:

• Email — support@prebreach.com
• Feature requests — feedback@prebreach.com

We typically respond within 24 hours on business days. Agency plan subscribers receive priority support with faster response times.